| View previous topic :: View next topic |
| Author |
Message |
lazyleopard
n00b
Joined: 06 Nov 2003
Posts: 58
|
 Posted: Sat May 06, 2006 7:30 am Post subject: sshd: Did not receive identification string from UNKNOWN |
 |
|
Before a recent update (glibc-2.3.5-r3? openssh-4.2_p1-r1?) sshd would report the IP addresses of hosts that made half-hearted attempts to establish a connection thus: | Code: | | Did not receive identification string from 1.2.3.4 |
where 1.2.3.4 is the offender's IP address. Since the update it has instead been reporting | Code: | | Did not receive identification string from UNKNOWN |
Anyone any ideas where the IP address has gone? |
|
| Back to top |
|
 |
julot
n00b
Joined: 27 Aug 2003
Posts: 55
Location: Mexicus
|
| Posted: Mon May 08, 2006 1:01 pm Post subject: Hi |
|
|
It could be a bad generated tcp/ip packet, so that could be a reason from the lack of ip header, or a IPV6 packet, or even another type of packet (UDP, PPPoE, PPPTP, Tunnel).
See 2.0 and 1.4
| Quote: |
2.7. The lack of unique identifiers
When the Internet was still young, back in the 1980's, one could use an IP address to safely identify and locate a host. Addresses were both spatially unique (no one else had an identical address) and temporally unique (addresses didn't change). However, this is no longer the case [RFC2101]. Today, IP addresses may exhibit seemly strange behavior that makes identifying and locating hosts much harder. The widespread use of protocols such as PPP/SLIP [RFC1990] and DHCP [RFC1541] allow a specific host's address to change over time: per-connection in the case of PPP/SLIP, while DHCP allows hosts to "lease" IP addresses for arbitrary lengths of time. On even larger time scales, details in the current Internet routing structure (i.e., Classless InterDomain Routing, "CIDR" [RFC1519]) may require that if a domain changes service providers, they will have to change their assigned range of IP addresses. Firewalls, proxy socket servers, and other "Network Address Translators" further complicate the use of IP addresses as identifiers, because they may translate addresses as traffic moves between the internal and external networks. Different hosts may appear to be using identical IP addresses, or different IP addresses may be the same host. Thus, IP addresses can no longer be used to uniquely identify a host, even over short time periods. Any security schemes which rely upon IP addresses remaining temporally or spatially unique may have vulnerabilities.
|
[url]
http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html
[/url]
Greetings
_________________
"Sine ira et studio" Tacitus. (c.56-c.177 AD).
(With neither anger nor partiality). |
|
| Back to top |
|
|
lazyleopard
n00b
Joined: 06 Nov 2003
Posts: 58
|
| Posted: Tue May 09, 2006 11:35 am Post subject: |
|
|
| I don't think that's the cause of this particular message, which I'm seeing even when local hosts with good connectivity are involved. It started happening after glibc-2.3.5-r3 and openssh-4.2_p2-r1 were installed. Unfortunately they both appeared in the same emerge so I'm not certain which one is responsible, but I suspect the glibc change is more likely the cause... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
